When SonarQube is installed, by default, the product is totally open so that new users can easily discover and evaluate it:
- you don't need to log in to analyze a new project
- when a project is created, anyone can see and browse the source code
This configuration can too easily let the instance exposed when it goes into production and becomes available on the Internet. This is a security risk for SonarQube users who don’t master the process to secure the installation.
We want SonarQube to provide a default setup which:
- decreases the risk for having uncontrolled SonarQube and disclosed sensitive data
- but does not introduce friction for the first time exploration of SonarQube
- As a user who discovers SonarQube, I want to easily be able to run a project analysis and discover the functionalities of the product.
- I want to be able to share the results of my investigation to my teammates/hierarchy and to let my colleagues analyze additional projects.
- When I am ready to go into production, I want my instance to, by default, not be at risk i.e. to not expose sensitive data and to not be open to malicious use. Without extra effort from my side, my instance does not allow any unwanted person to see the projects, to analyze a new project or to administer the instance.
- It should be easy for a user who doesn’t know SonarQube to discover the product: only a very few steps should be required to analyze a project and see the results in SonarQube.
- The default setup of SonarQube should make it secured so that it can go into production without any specific need for an administrator to manually reinforce the security.
- We want to implement a minimal increment to secure by default new instances, but not any extra mile to:
- force a password policy
- force tighter security practice
- preconfigure SonarQube for higher performance
- On new instances, SonarQube default configuration will now enforce user authentication
- Project default visibility will remain public
The administrator as well as every authenticated user can access the instance.
- The default permissions will remain permissive
Every authenticated user can browse the projects and see the source code
- As it is today, an empty Projects page invites you to analyze a project, and project creation guides you to create a token -> An authenticated user can easily run a first analysis for a project.
Every authenticated user can create and analyze any project.
- Documentation (https://docs.sonarqube.org/latest/instance-administration/security/) should be updated to explain how to disable forced authentication and warn about the consequences.
Out of scope
- With the first "admin" login in the UI, the user can be asked to changed the password.
- The About page becomes much less visible and could be dropped. It currently presents a recap of the main concepts which should rather be well explained into the very first pages of the documentation. If authentication is not enforced, the default homepage for anonymous users could become the Projects page.
- Set default value to true for ‘sonar.forceAuthentication’ anywhere it is used see usage of: “org.sonar.api.CoreProperties#CORE_FORCE_AUTHENTICATION_PROPERTY”
- That change will require to adjust ITs especially the UI and the one which uses scanner (pass token or user/password).
- Make sure that upgraded instances behave as they were previously.
- We'll update description of a property in the Settings so that it will highlight the risk behind disabling authentication.
- Update scanners pages if necessary
- Find a place in docs to explain that authentication will be required
- Other places?